flat assembler
Message board for the users of flat assembler.

Index > Programming Language Design > Safety Forth

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 16 Nov 2020, 04:01
if im not safe nor secure, then how could my code become secure? Laughing
plus, what is security and safety? Laughing

_________________
Asm For Wise Humans
Post 16 Nov 2020, 04:01
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 12739
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 16 Nov 2020, 18:38
in the beginning, there is only 0, then suddenly it becomes 1, or 1 exists,

you got infinite boxes labelled 0 and 1, infinite truck to transport them, infinite functioin to process them, now start design a good system,
Post 16 Nov 2020, 18:38
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 18 Nov 2020, 21:43
sleepsleep wrote:
in the beginning, there is only 0, then suddenly it becomes 1, or 1 exists,

you got infinite boxes labelled 0 and 1, infinite truck to transport them, infinite functioin to process them, now start design a good system,

I can’t help quoting Joel (this blog post):
Joel Spolsky wrote:
You had ones? Lucky bastard! All we got were zeros.
Post 18 Nov 2020, 21:43
View user's profile Send private message Visit poster's website Reply with quote
Hugh-Aguilar



Joined: 26 May 2020
Posts: 55
Hugh-Aguilar 20 Nov 2020, 09:06
DimonSoft wrote:
sleepsleep wrote:
in the beginning, there is only 0, then suddenly it becomes 1, or 1 exists,

you got infinite boxes labelled 0 and 1, infinite truck to transport them, infinite functioin to process them, now start design a good system,

I can’t help quoting Joel (this blog post):
Joel Spolsky wrote:
You had ones? Lucky bastard! All we got were zeros.

The FASM forum appears to be a nest of trolls --- posting idiotic nonsense in an effort to get a response, so they an post more idiotic nonsense...
Plus we have Revolution (a moderator!) telling me: "There is literally nothing that you can do..."
This is how maintenance programmers pass the time when they aren't reading a real programmers source-code --- and then pretending that they wrote the source-code themselves, or at least made a positive contribution of some kind.

I will NEVER provide maintenance programmers with source code!

The purpose of Safety Forth is to allow real programmers to distribute code closed-source, while yet allowing users to download and run this closed-source code without fear that it is malware. I think this is possible.

_________________
When all else fails, write the source.
Post 20 Nov 2020, 09:06
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2493
Furs 20 Nov 2020, 13:12
Hugh-Aguilar wrote:
The FASM forum appears to be a nest of trolls --- posting idiotic nonsense in an effort to get a response, so they an post more idiotic nonsense...
I wouldn't talk about others being trolls when you keep ignoring what people ask you. :rolleyes:

Here's a refresher (again):
revolution wrote:
And still you haven't addressed Meltdown, Rowhammer or Spectre. No amount of VMs, or it's-not-asm-code defeats those attacks. You need something much different for those.

Let's start simply. Show how you detect and counteract Rowhammer. Once you have that one solved then we can moved on to the next one.
But I guess ignorance is bliss to you?

Those are vulnerabilities in the CPU. Vulnerabilities exist because things aren't designed perfectly. That's why they are called vulnerabilities. You can have a perfect sandbox and still have it broken by vulnerabilities such as privilege escalations outside of your control. That's the point.
Post 20 Nov 2020, 13:12
View user's profile Send private message Reply with quote
Hugh-Aguilar



Joined: 26 May 2020
Posts: 55
Hugh-Aguilar 21 Nov 2020, 18:24
Furs wrote:
Hugh-Aguilar wrote:
The FASM forum appears to be a nest of trolls --- posting idiotic nonsense in an effort to get a response, so they an post more idiotic nonsense...
I wouldn't talk about others being trolls when you keep ignoring what people ask you. :rolleyes:

Here's a refresher (again):
revolution wrote:
And still you haven't addressed Meltdown, Rowhammer or Spectre. No amount of VMs, or it's-not-asm-code defeats those attacks. You need something much different for those.

Let's start simply. Show how you detect and counteract Rowhammer. Once you have that one solved then we can moved on to the next one.
But I guess ignorance is bliss to you?

Those are vulnerabilities in the CPU. Vulnerabilities exist because things aren't designed perfectly. That's why they are called vulnerabilities. You can have a perfect sandbox and still have it broken by vulnerabilities such as privilege escalations outside of your control. That's the point.

That is not the point.
The point is that Safety Forth can't be used to write malware.
Safety Forth programs can be distributed closed-source and the user can feel confident that they aren't malware.

It is possible that you guys don't know the difference between a programming language and an operating system (OS).
Meltdown, Spectre and RowHammer make an OS insecure because somebody could theoretically write an asm program that accesses memory or files that it does not have authority to access.
If Menuet is vulnerable to these kinds of attacks, that is a problem for the OS author (Ville) --- it is not my responsibility to defend the OS against attack --- all I can do is to ensure that Safety Forth isn't used for attacking the OS, which would make me complicit in the attack (likely causing Ville to ban Safety Forth from being run under Menuet).

Above I said that Meltdown, Spectre and RowHammer could "theoretically" be used to access unauthorized memory. This has the smell of an urban legend. People vaguely theorize that such things could be done, then they write articles on the internet, then people like Revolution read these articles. This is just a bucket brigade of fake experts passing a bucket of B.S. up the line, which they then dump over my head. I really doubt that any of you have ever actually used Meltdown, Spectre and RowHammer successfully --- you are just typical internet experts talking up subjects that you don't know anything about.

The internet is full of fake experts. For example, it is easy to find self-proclaimed experts on VLIW processors. They read articles on the internet about the subject, which they believe make them experts.
After I wrote MFX for the MiniForth processor, I tried to talk to people about how an assembler for a VLIW processor works, and NOBODY understood anything that I was saying. It has been 25 years since I wrote MFX, and I have yet to find anybody who knows anything about the subject.
Lockheed-Martin has a VLIW processor that they use to generate images from radar data. They apparently got the hardware working, but they couldn't figure out how to write an assembler for it. They are hand-coding the assembly programs using a spreadsheet --- the programmer has to mentally figure out which instructions can be packed into which opcodes --- I tried to explain to them how this could be automated, but they didn't seem to understand anything that I was saying. This is what happens when people derive their knowledge from reading articles --- they end up being a fake expert on a subject that they don't know anything about.

_________________
When all else fails, write the source.
Post 21 Nov 2020, 18:24
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 21 Nov 2020, 21:02
Hugh-Aguilar wrote:
The point is that Safety Forth can't be used to write malware.

I guess it’s time to give your definition of the word “malware”.

Hugh-Aguilar wrote:
Safety Forth programs can be distributed closed-source and the user can feel confident that they aren't malware.

Programs in any programming language can be distributed closed-source. There’re thousands of languages (mostly hobbyist and/or educational) that don’t support any data input/output except keyboard/screen. While it technically is much harder to write malware with those languages, very few (if any) of the authors claim their languages to be safe/secure/malware-free. There’s a reason.

Hugh-Aguilar wrote:
Above I said that Meltdown, Spectre and RowHammer could "theoretically" be used to access unauthorized memory. This has the smell of an urban legend. People vaguely theorize that such things could be done,

I have the same feeling actually. And I personally treat side-channel attacks as just funny facts that prove Newton’s third law: nothing can be done without affecting something else. It’s like washing one’s hair and then complaining the amount of shampoo left has decreased…

Hugh-Aguilar wrote:
you are just typical internet experts talking up subjects that you don't know anything about.

… but this logic is broken. Or can be used for you in the same way. I’m not trying to offend you. But claiming a programming language doesn’t allow to do something unsafe… That we (you and us) cannot tell outright how to do that doesn’t make it impossible, ’cause security/safety is not limited to how the program is written, it also depends on how the program is execute by the processor or sandbox, or other runtime environment (which still relies on the processor being vulnerability-free).

Hugh-Aguilar wrote:
Lockheed-Martin has a VLIW processor that they use to generate images from radar data. They apparently got the hardware working, but they couldn't figure out how to write an assembler for it. They are hand-coding the assembly programs using a spreadsheet --- the programmer has to mentally figure out which instructions can be packed into which opcodes --- I tried to explain to them how this could be automated, but they didn't seem to understand anything that I was saying.

As far as I know, Intel Itanium had the same problem: people just were reluctant to write compilers that support all the cool stuff those processors support. What makes you think they didn’t understand your idea in your case? Maybe they just felt it was unnecessarily hard to implement as compared to the positive effect they would have in return? After all, technologies and ideas that increase the demand of workers tend to be more successful than those which decrease the demand: people are not willing to lose their job by being replaced with a machine, so they do their best to not let it happen.
Post 21 Nov 2020, 21:02
View user's profile Send private message Visit poster's website Reply with quote
Hugh-Aguilar



Joined: 26 May 2020
Posts: 55
Hugh-Aguilar 22 Nov 2020, 04:04
DimonSoft wrote:
Hugh-Aguilar wrote:
The point is that Safety Forth can't be used to write malware.

I guess it’s time to give your definition of the word “malware”.

malware: Programs that access memory or files that they are not authorized to access.

DimonSoft wrote:
Hugh-Aguilar wrote:
Safety Forth programs can be distributed closed-source and the user can feel confident that they aren't malware.

Programs in any programming language can be distributed closed-source. There’re thousands of languages (mostly hobbyist and/or educational) that don’t support any data input/output except keyboard/screen. While it technically is much harder to write malware with those languages, very few (if any) of the authors claim their languages to be safe/secure/malware-free. There’s a reason.

The reason is that those languages allow access to memory that they are not allowed to access and/or they allow user-written machine-code to be called that could do pretty much anything.

I don't think that you are paying attention.
I have said all of this multiple times now. Also, what I'm saying is very obvious and easy to understand.
I think that you are just playing dumb and purposefully not understanding, waiting for me to get bored and stop responding, whereupon you will declare victory.

I think that maintenance programmers hate and fear closed-source software more than anything else in the world, so they are in the business of howling that closed-source software is likely to be malware and should never be accepted by any user --- for obvious reasons, the maintenance programmers want all software to be open-source.

_________________
When all else fails, write the source.
Post 22 Nov 2020, 04:04
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 22 Nov 2020, 09:37
Hugh-Aguilar wrote:
The reason is that those languages allow access to memory that they are not allowed to access and/or they allow user-written machine-code to be called that could do pretty much anything.

I’m sorry to tell you again that Java/.NET-like environments are neither secure nor safe although they are designed to forbid access to memory outside their management (they usually have some escape features like JNI or P/Invoke but those are not required to find and exploit vulnerabilities).

Now let’s consider other feature-limited languages like Brainfuck, Logo, КуМир/ИнтАл, add yours to the list. AFAIK, noone of their respective authors claim their safety/security (at least for those I’m familiar with).

The Meltdown/Spectre/RowHammer family of attacks is all about being unable to prevent access to arbitrary memory with plain bound checks. You were asked to dive into the topic a few times by now, but…

Hugh-Aguilar wrote:
I don't think that you are paying attention.


Hugh-Aguilar wrote:
I think that you are just playing dumb and purposefully not understanding, waiting for me to get bored and stop responding, whereupon you will declare victory.

As for me personally, I just don’t care at all. As professional skills get higher, discussion experience also grows and at some point the value of making sure “I won” just becomes zero.

Hugh-Aguilar wrote:
I think that maintenance programmers hate and fear closed-source software more than anything else in the world, so they are in the business of howling that closed-source software is likely to be malware and should never be accepted by any user --- for obvious reasons, the maintenance programmers want all software to be open-source.

Trying to put labels on people whom you don’t even know means you’re either trying to be a troll, or have reasons to be afraid of people who are trying to be helpful and mention things and facts you are not aware of.

It’s not hard to find who I am and notice that I’m not a fan of open source at all. For obvious reasons: I can count good, reliable open source software with fingers of one hand, FASM taking one of them. So, I don’t count as “maintenance programmer” by your definition but still am worried when I see the claim to make a secure language by just doing what others tried for years and failed.

In fact, this whole discussion is all about people being triggered by your claim that may only count as marketing. Most of us are just tired to explain numerous Java-boys who believe such claims for Java that they got trapped by marketing, guess what we feel when we see such claim anywhere else.
Post 22 Nov 2020, 09:37
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 22 Nov 2020, 10:24
And still the OP has not explained how "Safety" Forth is going to prevent all Rowhammer/Spectre/Meltdown classes of attacks, or any future discoveries that are currently unknown.

I think that the OP doesn't understand what Rowhammer/Spectre/Meltdown are, seeing as how the only solutions posted so far will have no effect.

If you want to be believed then show us what you have done to address those issues.

Making claims that people "can't write malware" using language/compiler XYZ requires a lot of proof. A lot. Also there is the commonly known fact that "you can't prove a negative". So how you plan to prove the compiler is perfect and has no flaws, and can prevent exploitation of all possible flaws, known and unknown, in all systems, is looking very much like a hard ask IMO.
Post 22 Nov 2020, 10:24
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2493
Furs 22 Nov 2020, 14:04
Hugh-Aguilar wrote:
malware: Programs that access memory or files that they are not authorized to access.
So you're saying a program inside a Virtual Machine can't be malware because it can't write things outside of it? But oops, it can, there's vulnerabilities to escape sandboxes/VMs found all the time (including the aforementioned Spectre). Even for your Java example that you gave as a "safe" language, there are thousands of CVE vulnerabilities if you search.

https://en.wikipedia.org/wiki/Privilege_escalation
Post 22 Nov 2020, 14:04
View user's profile Send private message Reply with quote
Hugh-Aguilar



Joined: 26 May 2020
Posts: 55
Hugh-Aguilar 26 Nov 2020, 06:36
DimonSoft wrote:

In fact, this whole discussion is all about people being triggered by your claim that may only count as marketing. Most of us are just tired to explain numerous Java-boys who believe such claims for Java that they got trapped by marketing, guess what we feel when we see such claim anywhere else.

Putting me in the same category as a "Java-boy" is an unfair troll attack. I have not gone to college, so I'm not really anybody's "pocket boy" (that is a Russian term, but I think the meaning is obvious).

I don't program in Java, and I have no interest in Java because it is over-complicated and feature-bereft (no true closures), and pretty much the COBOL of the 21st century. My language design allows "quotations" that are anonymous functions defined inside of a parent function. The QXT (quotation execution token) can be passed into a HOF (higher order function) that will execute it. The quotation will have read/write access to the parent function's local variables, despite the fact that the HOF has local variables of its own. Java doesn't have anything like this --- Java is a useless toy primarily popular in colleges (it replaced Pascal as the primary teaching language of colleges). I already have (since 2016) quotations working under VFX Forth and SwiftForth, although my code is not ANS-Forth compliant.

Pascal (actually Delphi) is a lot more powerful than Java because it has nested functions that are roughly comparable to quotations. This is why I suggested a Safety Pascal that would inter-operate with Safety Forth. I don't like Pascal though (I have experience in Quick Pascal under MS-DOS), so I don't want to get directly involved in Safety Pascal. I don't like C either, although GCC (not ANSI-C compliant) does have nested functions roughly comparable to quotations. I'm primarily a Forther.-

Lets have a head-count: how many people use Menuet?
Of these, how many people are interested in a high-level programming language that allows closed-source distribution of programs (as compared to FASM programs that have to be open-source to be distributed)?

_________________
When all else fails, write the source.
Post 26 Nov 2020, 06:36
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 1228
Location: Belarus
DimonSoft 27 Nov 2020, 13:02
Hugh-Aguilar wrote:
DimonSoft wrote:

In fact, this whole discussion is all about people being triggered by your claim that may only count as marketing. Most of us are just tired to explain numerous Java-boys who believe such claims for Java that they got trapped by marketing, guess what we feel when we see such claim anywhere else.

Putting me in the same category as a "Java-boy" is an unfair troll attack.

Nobody did. I just mentioned that people with Java background tend to be among those who are vulnerable to the marketing claims like this and are willing to spread them around. That just explains why the same claim (especially mentioning Java) makes the community react this way.

Hugh-Aguilar wrote:
as compared to FASM programs that have to be open-source to be distributed

Can you share/quote the source of this requirement?
Post 27 Nov 2020, 13:02
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.